CVE-2024-3744 MEDIUM

CVE-2024-3744: Kubernetes azure-file-csi-driver in versions before 1.29.4 and 1.30.1 discloses service account tokens in logs

Vendor Kubernetes
Product azure-file-csi-driver
Weakness CWE-532 · Sensitive info in logs
Published May 15, 2024
Last update February 13, 2025

CVSS base score

6.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

Key dates

02Disclosure timeline

May 15, 2024 CVE published
February 13, 2025 Record updated